Q & A: Equifax data breach victims may file for restitution

Phillips Murrah attorney Cody J. Cooper was featured on Wednesday, Aug. 21, in a Q&A feature in the Oklahoman newspaper.

Photo of Oklahoma City Patent Attorney Cody Cooper

Cody Cooper is a Patent Attorney in the Intellectual Property Practice Group and represents individuals and companies in a wide range of intellectual property, patent, trademark and copyright matters. His practice also includes commercial litigation.

Equifax is a consumer credit reporting agency and, ironically, one of the products it publicly sells is individual credit monitoring. In 2017, Equifax disclosed one of the largest known data breaches in the United States affecting about 143 million people — close to half of the U.S. population. Equifax claimed that the breach was the result of their systems being hacked by thieves seeking to obtain information that is commonly referred to in the world of data privacy and cybersecurity as personally identifiable information (PII). The thieves were able to exploit a website application vulnerability to gain access to files that included customer names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Lawsuits were initiated by a number of entities, including the Federal Trade Commission, and a $700 million dollar settlement was recently reached, which included a total of $425 million to compensate individuals, $100 million in civil money penalty, as well as other relief.

Who is entitled to recover, how do you submit a claim and is $125 the amount I can recover?

Anyone whose information was included within the documents that were stolen is eligible to receive benefits. In order to submit a claim, an affected individual needs to go to and complete the requested information. While submitting your claim, there are two compensation options: (1) credit monitoring for 10 years or (2) a cash payment. The payment was estimated at $125, but that is likely to change because of the overwhelming number of people who have apparently opted in for the settlement payment. Apparently of the settlement amount, only a small portion — approximately $31 million — of the overall amount is earmarked for cash payments, which means that the more people who sign up for the cash payment could greatly decrease the amount paid to each person. In fact, the most recent stories suggest that the FTC is going to allow individuals who initially opted-in for cash payment to change their selection to credit monitoring because of the number of people who have already chosen the cash option and the small amount that would be paid to each.

What constitutes a data breach?

A data breach can be most easily described as the unauthorized access of information. The issues get nuanced from there. This is a particularly hot topic right now with the Equifax settlement and the most recent announcement that Capital One has suffered a data breach affecting about 106 million people or about a third of population.

How does the public find out about a data breach incident?

What we see in the news is for reportable breaches. Reportable breaches typically include PII. However, not all data breaches must be reported. In fact, most data breaches are likely never publicly disclosed. If PII is not involved, the organization that suffered the breach typically surveys the damage, addresses the breach, takes steps to mitigate the impact and moves along without ever telling anyone — except possibly industry regulators, if required, and their insurance company, if they are smart and have cybersecurity insurance.

What does the law say about organizations disclosing a data breach?

Importantly, there is no uniform “data breach” or “breach notification” federal law. Instead, these laws are formed by a hodgepodge of state laws (all 50 states have a breach notification law) and various other laws, including Gramm Leach Bliley Act, NAIC Insurance Data Security Model Law, New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, and the National Credit Union Administration’s Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Because of this, the standards applied from state to state and industry to industry can vary. For example, the definition of PII can be slightly different for each law. Some states include biometric data (fingerprint, facial scan, etc.) within PII, while others do not. Additionally, the deadlines for reporting a discovered breach can also vary widely. Significantly, some states and regulatory bodies have taken steps to increase the standards applied to protecting PII. As an example, New York has enacted laws that have very specific requirements a company must meet in order to be compliant.

How does data breach disclosure work in Oklahoma?

Generally, any person or entity that collects and stores PII is subject to Oklahoma’s data breach notification laws. If a breach of PII is discovered, that person or entity must comply with the various breach notifications in the applicable laws. In Oklahoma, notice is to be made as soon as practicable following discovery of the breach. Once notice is made to the affected individuals, there are requirements for what the breached entity must do, including reporting to specific law enforcement entities and providing credit monitoring for the affected individuals for a specific length of time. Again, these requirements can vary from state to state. Typically, the large data breaches ultimately result in litigation being filed by the affected individuals and/or specific related regulatory authorities, which is what led to the Equifax settlement.

Security and data protection procedures are everyone’s concern

Q: With the recent breach of Equifax, it seems that vulnerability to identity fraud is everywhere. Are there measures I can take on behalf of my company and employees to minimize risk?

Fred A. Leibrock is an experienced trial lawyer who has tried dozens of jury trials and has served as lead counsel in a number of significant cases involving complex, multi-jurisdiction issues.

A: Act now and seek professional technical assistance. Hire the right technical person or firm to help you test your systems, assess your vulnerabilities and implement your security and data protection procedures and recovery plans. The question isn’t whether someone will try to steal your data, but when. You need to be ready.

Q: From a legal standpoint, if my company’s data is breached, can my company be held liable for harm to employees or customers whose information may have been compromised?

A: Yes. Although this is a rapidly emerging area of the law, as a general rule an entity that is negligent in safeguarding confidential customer or employee data can be held liable as a result of a breach, or as a result of disregarding legal notice requirements after the breach. The principal question on the issue of liability is whether the entity took reasonable steps before the breach to protect the data, and after the breach to protect and notify the customers or employees. What’s reasonable is a moving target that must be determined on a case-by-case basis. However, there are few legitimate excuses in this day and age for a company to not take significant affirmative steps to safeguard electronic data.

Q: What are some of the bigger mistakes that companies make when it comes to protecting their data?

A: According to the Federal Trade Commission, the principal unreasonable practices that result in data breaches include weak password policies, lack of encryption, broad dissemination of administrative passwords, and lack of security between systems with sensitive data and other computers inside and outside the network.

Q: What measures can I take to protect my company from a data breach?

A: Engage in advance planning. To reduce the risks of a data breach, follow the recommendations of the National Institute for Standards & Technology by planning ahead of a breach to: identify the components of your systems and their vulnerabilities; protect the components from penetration; detect latent threats that may have already penetrated your systems; respond to a breach and recover from a breach. Also, train your employees to be alert to cybersecurity risks.

Q: It seems like all businesses rely on digital data transfer, whether it’s using file transfer services or sending sensitive documents through email. How do I continue to take advantage of these conveniences and still secure my information?

A: Avoid unnecessary risks. There are a million affordable products on the market that allow you to encrypt stored data and data in transmission. Use them and be willing to pay for security and data protection. If you must transmit sensitive data over an unsecure network, at a minimum encrypt it with a strong password before transmitting it.

From NewsOK / by Paula Burkes
Published: September 20, 2017
Click to see full story – Data security, cyber threats are everyone’s concern

Click to see Fred Leibrock’s attorney profile